The 74,000 numbers of Barclays Bank


The UK faces an epidemic of telephone scams. Fraudsters are constantly calling people up pretending to be their bank. But how can you be sure the number displayed on your screen in genuine? You can't. The telecom system is hopelessly insecure and shouldn't be trusted for anything more complicated than dialling the speaking clock.

Barclays bank knows that customers are worried about this. So they've produced a handy website where you can see if a telephone number belongs to Barclays.

Because no one knows how to build a sensible web service any more, the page loads a 1.3MB JSON file containing every number that Barclays has.

https://www.barclays.co.uk/content/dam/json-files/TelephoneNumberChecker_26_03_2021.json

Over 74,000 numbers...

Long list of phone numbers in JSON format.

To be fair, Barclays does use a large number of prefixes for its phone numbers.
A long list of phone numbers, all with the same prefix.
But surely this could be handled in a more sensible way, like a regex?

Mind you, the service doesn't even work if you use the +44 prefix

Error message when the phone number starts with the international prefix.
Nor if you accidentally include some trailing punctuation
Error message is displayed when the phone number has a dot at the end.
Nor if you format it with dashes
Error message when the phone has dash separators.

So a regex might be a bit beyond them.

Now, in fairness, the site does say that just because a number appears to come from them - doesn't mean it is them.
It’s safe to call this number. Top tip  Fraudsters can 'spoof' phone numbers, this means they make it look like they're calling you from one of our numbers. If you receive a call and you're not totally sure it's from us, end the call and ring us back instead . You can use the number on the back of your Barclays debit card or any other number that our checker confirms is safe to call.

And, looking at the file name of the JSON file, it appears to be recently updated. Which is good, I guess. Although I still think it is weird to give fraudsters a list of every single number in your range.

But, seriously, why not POST the number to a service which can be updated? Wouldn't that make more sense than slowly downloading the nine billion names of god seventy-four thousand numbers of Barclays?

Thanks to The AntiSocialEngineer and Robert Schifreen for pointing this out.


Share this post on…

12 thoughts on “The 74,000 numbers of Barclays Bank”

  1. ARRGH! I was this close to thanking them for handing out the list of numbers for me to spoof, but when I looked at the site I (stupidly) assumed the look up was on the backend...


    Reply
  2. says:

    My tired brain read the first few words of the intro as "The UK facepalms..." but I guess it was accurate 🤦🏻‍♀️


    Reply
  3. This is an great example of how not to solve a problem in that it doesn't solve the problem and it creates a whole new one that didn't exist before they compiled all their "valid" numbers on a single public document for the criminals to use. Own goal of epic proportions.


    Reply
  4. Lee says:

    Yeah, but that's not the problem is it?
    Now that Barclays have published their official numbers, the scammer can download them into their phone system and use them to spoof the caller-id on the scammers outgoing calls.

    Best just to say, "Thanks for the info", hang up the call. And then contact your bank from your mobile.

    Reply
  5. In fairness, a regex would still be problematic so long as it's on the client side. It could be reverse engineered to create a list of valid Barclays phone numbers.

    The only sensible place for this list is behind a server side API endpoint.

    🤦


    Reply
  6. Never understood why (for customers with internet at least) banks don't just offer a tool on their website to create/verify a challenge-response code pair so you can authenticate someone calling from the bank without needing to exchange any customer data in either direction


    Reply
  7. says:

    Sounds like a good use case for a Bloom Filter. Only if there is a potential match via the filter do you need to do a web service lookup. But you don’t reveal the source data, and the size of the filter is much smaller than the data.


    Reply
    1. says:

      Perl’s Regexp::Optimizer produced this which is only 43k

      I’ve probably done something wrong here but if I paste that regexp into a while(){if ($_=~qr/blah/){print}} kind of thing, it seems to allow, e.g., 83300414522 to pass even though it’s not in the original list (and indeed allows 175 swap-prefix-0-for-8 such mistakes.)

      Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">